VEX export returns invalid cyclonedx

[muellerst-hg]

Current Behavior

Given a project with two components which have the same vulnerability When I click "Export VEX" Then a VEX file is delivered which contains duplicate items in vulnerabilities section But according to cyclonedx 1.5 schema this is invalid

Tested with 4.11.3 and 4.12-snapshot from 2024/06/11

Steps to Reproduce

1. Create a new project and upload the following BOM file: bom-express.json
2. Wait for analysis to be finished
3. Go to "Audit Vulerabilties" tab and click "Download VEX" (which returns the following VEX file: vex-express.json )
4. Enable "BOM Validation" in "Configuration/Bom Format" settings
5. Click "Apply VEX" and try to upload the above VEX file
6. Upload fails with > The uploaded BOM is invalid. Schema validation failed

The same duplicates can be found when exporting the BOM using "Download BOM -> Inventory with Vulnerabilities"

Expected Behavior

I expect valid cyclonedx bom returned by "Export VEX".

Dependency-Track Version

4.11.3

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

14

Browser

Mozilla Firefox

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported